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Abstract 

We prove two theorems saying that no distributed sys- 
tem in which processes coordinate using reliable reg- 
isters and f -resilient services can solve the consensus 
problem in the presence of f + 1 undetectable process 
stopping failures. (A service is f -resilient if it is guar- 
anteed to operate as long as no more than f of the 
processes connected to it fail.) 

Our first theorem assumes that the given services 
are atomic objects, and allows any connection pat- 
tern between processes and services. In contrast, we 
show that it is possible to boost the resilience of sys- 
tems solving problems easier than consensus: the It- 
set consensus problem is solvable for Ik — 1 failures 
using l-resilient consensus services. The first theorem 
and its proof generalize to the larger class of failure- 
oblivious services. 

Our second theorem allows the system to contain 
failure-aware services, such as failure detectors, in ad- 
dition to failure- oblivious services; however, it requires 
that each failure-aware service be connected to all pro- 
cesses. Thus, / + 1 process failures overall can dis- 
able all the failure-aware services. In contrast, it is 
possible to boost the resilience of a system solving con- 
sensus if arbitrary patterns of connectivity are allowed 
between processes and failure-aware services: consen- 
sus is solvable for any number of failures using only 
l-resilient 2-process perfect failure detectors. 

1 Introduction 

We consider distributed systems consisting of asyn- 
chronously operating processes that coordinate using 
reliable multi-writer multi-reader registers and shared 
services. A service is a distributed computing mech- 
anism that interacts with distributed processes, ac- 
cepting invocations, performing internal computation 



steps, and delivering responses, 
include: 



Examples of services 



• Shared atomic (linearizable) objects, defined by se- 
quential type specifications [11, 14], for example, 
atomic read-modify-write, queue, counter, test&set, 
and compare&swap objects. The consensus problem 
can also be defined as an atomic object. 

• Concurrently-accessible data structures such as bal- 
anced trees. 

• Broadcast services such as totally ordered broad- 
cast [10]. 

• Failure detectors, which provide processes with 
hints about the failure of other processes [5] . 1 

Thus, our notion of a service is quite general. We de- 
fine three successively more general classes of service — 
atomic objects, failure-oblivious services, and general 
(possibly failure-aware) services — in Sections 2, 6, and 
7. We define our services to tolerate a certain number 
/ of failures: a service is /-resilient if it is guaranteed 
to operate as long as no more than / of the processes 
connected to it fail. 

A fundamental, general question in distributed 
computing theory is: "What problems can be solved 
by distributed systems, with what levels of resilience, 
using services of given types and levels of resilience?" 
In this paper, we expose a basic limitation on the 
achievable resilience, namely, that the resilience of 
a system cannot be "boosted" above that of its ser- 
vices. More specifically, we prove two theorems saying 
that no distributed system in which processes coordi- 
nate using reliable registers and /-resilient services can 
solve the consensus problem in the presence of / + 1 
process stopping failures. 
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1 Our notion of service encompasses all failure detectors de- 
fined by Chandra et al. [4] with one exception: we exclude failure 
detectors that can guess the future. 



We focus on the consensus problem because it has 
been shown to be fundamental to the study of re- 
silience in distributed systems. For example, Hcrlihy 
has shown that consensus is universal [11]: an atomic 
object of any sequential type can be implemented in a 
wait-free manner (i.e., tolerating any number of fail- 
ures), using wait-free consensus objects. 

Our first main theorem, Theorem 1, assumes that 
the given services are atomic objects and allows any 
connection pattern between processes and services. 
The result is a strict generalization of the classical im- 
possibility result of Fischer et al. [8] for fault-tolerant 
consensus. Our simple, self-contained impossibility 
proof is based on a bivalence argument similar to the 
one in [8] . The proof involves showing that decisions 
can be made in a particular way, described by a hook 
pattern of executions. 

In contrast to the impossibility of boosting for con- 
sensus, we show that it is possible to boost the re- 
silience of systems solving problems easier than con- 
sensus. In particular, we show that the k-set consen- 
sus problem [6] is solvable for 2fc — 1 failures using 
1-resilient consensus services. 

Theorem 1 and its proof assume that the given ser- 
vices are atomic objects; however, they extend to the 
larger class of failure- oblivious services. A failure- 
oblivious service generalizes an atomic object by al- 
lowing an invocation to trigger multiple processing 
steps instead of just one, and to trigger any num- 
ber of responses, at any endpoints. The service may 
also include background processing tasks, not related 
to any specific endpoint. The key constraint is that 
no step may depend on explicit knowledge of failure 
events. We define the class of failure-oblivious ser- 
vices, give examples (e.g., totally-ordered broadcast), 
and describe how Theorem 1 can be extended to such 
services. 

Our second main theorem, Theorem 11, addresses 
the case where the system may contain failure- aware 
services (e.g., failure detectors), in addition to failure- 
oblivious services and reliable registers. This result 
also says that boosting is impossible. However, it 
requires the additional assumption that each failure- 
aware service is connected to all processes; thus, / + 1 
process failures overall can disable all the failure-aware 
services. The proof is an extension of the first proof, 
using the same "hook" construction. We also show 
that the stronger connectivity assumption is necessary, 
by demonstrating that it is possible to boost the re- 
silience of a system solving consensus if arbitrary con- 
nection patterns are allowed between processes and 
failure-aware services: specifically, consensus is solv- 
able for any number of failures using only 1-resilicnt 



2-process perfect failure detectors. 

Related work. Our Theorem 1, for atomic services, 
can be derived by carefully combining several earlier 
theorems, including Hcrlihy's result on universality of 
consensus [11], and the result of Chandra et al. on 
/-resiliency vs. wait-freedom [3] (sec Appendix A). 
However, this argument does not extend to prove im- 
possibility of boosting for failure-oblivious and failure- 
aware services. Moreover, some of the proofs upon 
which this alternative proof rests are themselves more 
complex than our direct proof. 

Theorem 1 appeared first in a technical report [1]. 
Subsequent impossibility results for atomic objects ap- 
peared in [9, 15]. Our models for failure-oblivious ser- 
vices and general services are new. As far as we know, 
this is the first time a unified framework has been used 
to express atomic and non-atomic objects. Moreover, 
this is the first time boosting analysis has been per- 
formed for services more general than atomic objects. 

Organization. Section 2 presents definitions for the 
underlying model of concurrent computation and for 
atomic objects. Section 3 presents our model for a 
system whose services are atomic objects. Section 4 
presents the first impossibility result. Section 5 shows 
that boosting is possible for set consensus. Section 6 
defines failure-oblivious services, gives an example, 
and extends the first impossibility result to systems 
with failure-oblivious services. Section 7 defines gen- 
eral services, gives examples, and presents our sec- 
ond main impossibility result. Appendix A shows how 
Theorem 1 can be derived from results in [3, 11] and 
why these arguments do not extend to services more 
general than atomic services. Appendix B provides 
the complete proofs for the extension of the first im- 
possibility result to failure-oblivious services. 



2 Mathematical Preliminaries 

2.1 Model of concurrent computation 

We use the I/O automaton model [18, chapter 8] 
as our underlying model for concurrent computation. 
We assume the terminology of [18, chapter 8]. An I/O 
automaton A is deterministic iff, for each task e of A, 
and each state s of A, there is at most one transition 
(s, a, s') such that a G e. 

An execution a of A is fair iff for each task e of 
A: (1) if a is finite, then e is not enabled in the final 
state of a, and (2) if a is infinite, then a contains 
cither infinitely many actions of e, or infinitely many 



occurrences of states in which e is not enabled. A trace 
of A is a sequence of external actions of A obtained 
by removing the states and internal actions from an 
execution of A. A trace of a fair execution is called 
a fair trace. If a and a' are execution fragments of 
A (with a finite) such that a' starts in the last state 
of a, then the concatenation a ■ a' is defined, and is 
called an extension of a. 

2.2 Sequential types 

We define the notion of a "sequential type" , in or- 
der to describe allowable sequential behavior of atomic 
services. The definition used here generalizes the one 
in [18, chapter 9]: here, we allow nondctcrminism 
in the choice of the initial state and the next state. 
Namely, sequential type T = ( V, Vq , invs, resps, 5) con- 
sists of: 

• V , a nonempty set of values, 

• Vq C V, a nonempty set of initial values, 

• invs, a set of invocations, 

• resps, a set of responses, and 

• 5, a binary relation from invs x V to resps x V that is 
total, in the sense that, for every (a, v) G invs x V, 
there is at least one (b,v') <G resps x V such that 
((a,v),(b,v'))€S. 

We sometimes use dot notation, writing 
T.V, T.Vq, T .invs, . . . for the components of T. 
We say that T is deterministic if Vq is a single- 
ton set {t>o}, and <5 is a mapping, that is, for every 
(a,v) <G iiwisxy, there is exactly one (b,v') € respsxV 
such that ((a, w), (6, v')) <G <5. 

We allow nondeterminism in our definition of a se- 
quential type in order to make our notion of "service" 
as general as possible. In particular, the problem of 
fc-set-consensus can be specified using a nondetermin- 
istic sequential type. 

Example. Read/write sequential type: Here, V is a 
set of "values", Vq — {vq}, where vo is a distinguished 
element of V, invs — {read} U {write(v) : v e V}, 
resps — V U {ack}, and S = {((read,v),(v,v)) : v e 
V} U {((write(v),v'), (ack, v)) :v,v'e V}. 

Example. Binary consensus sequential type: Here, 
V = {{O},{1},0}, Vo = {0}, invs = {init{v)) : 
v G {0, 1}}, resps = {decide(v) : v € {0, 1}}, 
and 8 = {((init(v),$),(decide(v),{v})) : v € V} U 
{((imt(v), JV }), ( decide (V), {«'})) : v, v' G F} 

Example, fc-consensus sequential type: Now V is 
the set of subsets of {0,1, ...,£;} having at most k el- 
ements, Vq = {0}, miis = {init(v) : v € {0, 1, ... , A:}}, 
resps = {decide(v) : v € {0, 1, . . . , fc}}, and 5 = 



{((m^u),W),(decide(u'),Wu{u})) : |W| < fc,v' € 
WU {v}}U {((imt(u),W),(decide(u / ),W / )) : \W\ = 
fc.v'e T4^}. 

Thus, the first fc values are remembered, and every 
operation returns one of these values. 

2.3 Canonical /-resilient atomic objects 

A "canonical /-resilient atomic object" describes 
the allowable concurrent behavior of atomic objects. 
Namely, we define the canonical f -resilient atomic ob- 
ject of type T for endpoint set J and index fc, where 

• T is a sequential type, 

• J is a finite set of endpoints at which invocations 
and responses may occur, 

• / € N is the level of resilience, and 

• fc is a unique index (name) for the service. 

The object is described as an I/O automaton, in Fig- 
ure 1. 

The parameter J allows different objects to be con- 
nected to the same or different sets of processes. A 
process at endpoint i £ J can issue any invocation 
specified by the underlying sequential type and can 
(potentially) receive any allowable response. We al- 
low concurrent (overlapping) operations, at the same 
or different endpoints. The object preserves the or- 
der of concurrent invocations at the same endpoint i 
by keeping the invocations and responses in internal 
FIFO buffers, two per endpoint (one for invocations 
from the endpoint, the other for responses to the end- 
point). The object chooses the result of an operation 
nondeterministically, from the set of results allowed by 
the transition relation T .5 applied to the invocation 
and the current value of vol. The object can exhibit 
nondctcrminism due to nondeterminism of sequential 
type T, and due to interleavings of steps for different 
invocations. 

We model a failure at an endpoint i by an explicit 
input action fail { . We use the task structure of I/O 
automata and the basic definition of fair executions to 
specify the required resilience: For every process i £ J, 
we assume the service has two tasks, which we call the 
z-perform task and i-output task. The z-perform task 
includes the perform i k action, which carries out op- 
erations invoked at endpoint i. The z-output task in- 
cludes all the bi_k actions giving responses at i. In ad- 
dition, every i-* task (* is perform or output) contains 
a special dummy Jn^ action, which is enabled when ei- 
ther process i has failed or more than / processes in 
J have failed. The dummy _*i,fc action is intended to 
allow, but not force, the service to stop performing 



CanonicalAtomicObject(T, J, /, k), 
where T — {V, Vq, invs, resps, S) 

Signature: 
Inputs: 

a i,ki a £ invs. i £ J, the invocations at cndpoint i 
fail i , i £ J 

Outputs: 

fri,fc: b £ resps, i £ J, the responses at endpoint « 

Internals: 

perform i k , i £ J 

dummy_*i k , * £ {perform, output}, i £ .7 

State components: 

va/ £ V, initially an clement of Vq 

inv — buffer, a mapping from J to finite sequences of invs, 

initially identically empty 
resp— buffer, a mapping from J to finite sequences of resps 

initially identically empty 
failed C J, initially 

Transitions: 
Input: ai,k 
Effect: 

add a to end of inv — buffer(i) 

Internal: perform^ k 
Precondition: 

a — head(inv— buffer(i)) 

S({a,vai),(b,v)) 
Effect: 

remove head of inv — buffer(i) 

val < — v 

add b to end of resp— buff er{i) 

Output: bik 
Precondition: 

b — head(resp— buffer(i)) 
Effect: 

remove head of resp — buff er(i) 

Input: faili 
Effect: 

failed < — failed U {i} 

Internal: dummy -*i ik 
Precondition: 

i £ failed V \failed\ > / V failed — J 
Effect: 

none 

Tasks: 

For every i £ J: 

i-pcrform: {perform t k , dummy jperform^ k } 
i-output: {bi k : b £ resps} U {dummy -output i k } 



Figure 1: A canonical atomic object. 

steps on behalf of process i after i fails or after the 
resilience level has been exceeded. 

The definition of fairness for I/O automata says 
that each task must get infinitely many turns to take 
steps. In this context, this implies that, for every 
i G J, the object eventually responds to an outstand- 
ing invocation at i, unless cither i fails or more than 
/ processes in J fail. If i does fail or more than / 
processes in J fail, the fairness definition allows the 
object to perform the dummy -*i.k action every time 



the i — * task gets a turn, which permits the object 
to avoid responding to i In particular, if more than 
/ processes fail, the object may avoid responding to 
any process in J, since dummy -Owput i k is enabled for 
all i <G J. Also, if all processes connected to the ser- 
vice (i.e., all processes in J) fail, the object may avoid 
responding to any process. 

Thus, the basic fairness definition expresses the idea 
that the object is /-resilient: Once more than / of the 
processes connected to the object fail, the object itself 
may "fail" by becoming silent. However, although the 
object may stop responding, it never violates its safety 
guarantees, that is, it never returns values inconsistent 
with the underlying sequential type specification. 

A canonical atomic object whose sequential type is 
read/write is called a canonical register. In this paper, 
we will consider canonical reliable (wait-free) registers. 

2.4 /-resilient atomic objects 

An I/O automaton A is an / -resilient atomic object 
of type T for endpoint set J and index k, provided that 
it implements the canonical /-resilient atomic object 
S of type T for J and k, in the following sense: 

1. A and S have the same input actions (including 
fail actions) and the same output actions. 

2. Any trace of A is also a trace of S. (This implies 
that A guarantees atomicity.) 

3. Any fair trace of A is also a fair trace of S. (This 
says that A is /-resilient.) 

We say that A is wait-free (or, reliable), if it is (| J\ — 1)- 
rcsilicnt. This is equivalent to saying that (a) A is \J\- 
resilient, or (b) A is /-resilient for some / > | J\ — 1, 
or (c) A is /-resilient for every / > | J\ — 1. 



3 System Model with Atomic Objects 

Our system model consists of a collection of process 
automata, reliable registers, and fault-prone atomic 
objects (which we sometimes refer to as services). For 
this section, we fix /, K, and R, finite (disjoint) index 
sets for processes, services, and registers, respectively, 
and T, a sequential type, representing the problem the 
system is intended to solve. A distributed system for 
/, K, R, and T is the composition of the following I/O 
automata (see [18, chapter 8]): 

1. Processes Pi, % € I, 

2. Services (atomic objects) Sk, k <G K. We let 7^ 
denote the sequential type, and J^ C I the set of 
endpoints, of service Sk- We assume k itself is the 
index. 



3. Registers S r , r £ R. We let V r denote the value 
set and t>o. r the initial value for register S r . We 
assume r is the index. 

Processes interact only via services and registers. 
Process Pi can invoke an operation on service Sk pro- 
vided that i £ Jfe. Process Pi can also invoke a read 
or write operation on register S r provided that i£ J r . 
Services and registers do not communicate directly 
with one another, but may interact indirectly via pro- 
cesses. In the remainder of this section, we describe 
the components in more detail and define terminology 
needed for the results and proofs. 

3.1 Processes 

We assume that process P,, i £ I has the following 
inputs and outputs: 

• Inputs cii, a £ T.invs, and outputs bi, b £ T.resps. 
These represent Pi's interactions with the external 
world. 

• For every service Sk such that i £ Jk, outputs a^fe, 
a £ Tk-invs, and inputs bi_k, b £ Tk.resps. 

• For every register S r , outputs a, )r , where a is a read 
or write invocation of S r , and inputs 6j ir , where b is 
a response of S r . 

• Input fail i . 

Pi may issue several invocations, on the same or 
different services or registers, without waiting for re- 
sponses to previous invocations. The external world 
at Pi may also issue several invocations to Pi without 
waiting for responses. As a technicality, we assume 
that when Pi performs a decide(y) i output action, it 
records the decision value v in a special state compo- 
nent. 

We assume that Pi has only a single task, which 
therefore consists of all the locally-controlled actions of 
Pi. We assume that in every state, some action in that 
single task is enabled. We assume that the faili input 
action affects P$ in such a way that, from that point 
onward, no output actions are enabled. However, 
other locally-controlled actions may be enabled — in 
fact, by the restriction just above, some such action 
must be enabled. This action might be a "dummy" 
action, as in the canonical resilient atomic objects de- 
fined in Section 2.3. 

3.2 Services and registers 

We assume that service Sk is the canonical /- 
resilient atomic object of type 7k for Jk and k. Like- 
wise, we assume that register S r is the canonical wait- 



free atomic read/write object with value set V r and 
initial value i-'o.,., for ,/,, and r. 

3.3 The complete system 

The complete system C is constructed by composing 
the Pi,Sk, and S r automata and then hiding all the 
actions used to communicate among them. 

For any action a of C, we define the participants of 
action a to be the set of automata with a in their sig- 
nature. Note that no two distinct registers or services 
participate in the same action a, and similarly no two 
distinct processes participate in the same action. Fur- 
thermore, for any action a, the number of participants 
is at most 2. Thus, if an action a has two participants, 
they must be a process and either a service or register. 

As we defined earlier, each process Pi has a sin- 
gle task, consisting of all the locally controlled actions 
of Pi. Each service or register S c , c £ K U R, has 
two tasks for each i £ J c : i-pcrform, consisting of 
{perform ik , dummy -perform ik \, and i-output, con- 
sisting of {bi.k ■ b £ Tk.resps} U {dummy -output ik }. 
These tasks define a partition of the set of all actions 
in the system, except for the inputs of the process au- 
tomata that are not outputs of any other automata, 
namely, the invocations by the external world and the 
faili actions. The I/O automata fairness assumptions 
imply that each of these tasks get infinitely many turns 
to execute. 

We say that a task e is applicable to a finite execu- 
tion a iff some action of e is enabled in the last state 
of a. 

3.4 The consensus problem 

The "traditional" specification of /-resilient binary 
consensus is given in terms of a set {Pi,i £ 1} of 
processes, each of which starts with some value Vi 
in {0, 1}. Processes are subject to stopping failures, 
which prevent them from producing any further out- 
put. 2 As a result of engaging in a consensus algorithm, 
each nonfaulty process eventually "decides" on a value 
from {0, 1}. The behavior of processes is required to 
satisfy the following conditions (see, e.g., [18, chapter 
6]): ' 

Agreement No two processes decide on different val- 
ues. 

Validity Any value decided on is the initial value of 
some process. 



2 Stopping failures are usually defined as disabling the pro- 
cess from executing at all. However, the two definitions are 
equivalent with respect to overall system behavior. 



Termination In every fair execution in which at 
most / processes fail, all nonfaulty processes 
eventually decide. 

In this paper, we specify the consensus problem dif- 
ferently: We say that a distributed system S solves 
f -resilient consensus for I if and only if S is an f- 
resilient atomic object of type consensus (Section 2.2) 
for endpoint set /. We argue that any system that 
satisfies our definition satisfies a slight variant of the 
traditional one. In this variant, inputs arrive explicitly 
via initQ actions, not all nonfaulty processes need re- 
ceive inputs, and only nonfaulty processes that do re- 
ceive inputs are guaranteed to eventually decide. Our 
agreement and validity conditions are the same as be- 
fore; our new termination condition is: 

Termination In every fair execution in which at 
most / processes fail, any nonfaulty process that 
receives an input eventually decides. 



4 Impossibility of Boosting for 
Atomic Objects 

Our first main theorem is: 

Theorem 1 Let n = \I\ be the number of processes, 
and let f be an integer such that < / < n— 1. There 
does not exist an (/+ I) -resilient n-process implemen- 
tation of consensus from canonical f -resilient atomic 
objects and canonical reliable registers. 

To prove Theorem 1, we assume that such an im- 
plementation exists and derive a contradiction. Let 
C denote the complete system, that is, the composi- 
tion of the processes Pi, i G /, services Sk, k G K, 
and registers S r , r G R. By assumption, C satisfies 
the agreement, validity and termination properties of 
consensus. 

For each component c G K U R and i G J c (recall 
that J c denotes the endpoints of c) let inv — buffer (i) c 
denote the invocation buffer of c, which stores invoca- 
tions from Pi, and let resp— buffer (i) c denote the re- 
sponse buffer of c, which stores responses to Pj. Also 
let buffer(i) c = (inv — buffer(i) c ,resp—buffer(i) c ). 

4.1 Assumption 

To prove Theorem 1, we make the following as- 
sumption: 

(i) We assume that the processes Pi, i E I, are deter- 
ministic automata, as defined in Section 2.1. For 
services, we assume a slightly weaker condition: 



that the sequential type is deterministic, i.e, the 
sequential type has a unique initial value and the 
transition relation S is a mapping. Note that the 
sequential type for registers is also deterministic, 
by definition. 

Assumption (i) implies that, after a finite failure- 
free execution a, an applicable task e determines a 
unique transition, arising from running task e from 
the final state s of a. We denote this transition as 
transition(e, s) (since it is uniquely defined by the fi- 
nal state s). If transition(e, s) — (s,a,s'), then we 
write first(e,s), action(e,s), and last{e,s) to denote 
s, a, and s' , respectively. We sometimes abbreviate 
last(e,s) as e(s). Note that, if s is the final state 
of a, then transition (e, s), first(e,s), action{e,s), and 
last(e, s) are defined iff e is applicable to a. 

Assumption (i) implies that any failure-free execu- 
tion can be defined by applying a sequence of tasks, 
one after the other, to the initial state of C. Assump- 
tion (i) does not reduce the generality of our impos- 
sibility result, because any candidate system could be 
restricted to satisfy (i); if the impossibility result holds 
for the restricted automaton, then it also holds for the 
original one. 

Lemma 2 Let a be any finite failure-free execution 
of C, e be any task of C applicable to a, and a ■ [3 be 
any failure- free extension of a such that (3 includes no 
actions of e. Then e is applicable to a- (3. 

Proof: Task e is either a process task, service task, 
or register task. If e is a process task, then e is 
applicable to any finite execution, by our assumption 
that each process always has some enabled locally 
controlled action. If e is a service task, say of service 
Sk, then applicability of e to a means that service 
Sk has either a pending invocation in an inv — buffer 
or a pending response in a resp— buffer, after a. 
Since (3 does not include any actions of e, and the 
invocation or response remains pending as long as e 
is not scheduled, e is also applicable after a ■ (3. If e is 
a register task, the argument is similar. □ 

Let s be any state of C arising after a finite failure- 
free execution a of C, and let e be a task that is appli- 
cable to a (equivalcntly, enabled in s). Then we write 
participants(e, s) for the set of participants of action 
actionize, s). Note that, for any task e and any state s, 
\participants(e, s)\ < 2. Also, if \participants(e, s)\ = 
2, then participants(e, s) is of the form {Pi,S c }, for 
some i G I and c G K U R. 



4.2 Initializations and valence 

In our proof, we consider executions in which con- 
sensus inputs arrive from the external world at the 
beginning of the execution. Thus, we define an ini- 
tialization of C to be a finite execution of C containing 
exactly one initQi action for each i € I, and no other 
actions. An execution a of C is input-first if it has an 
initialization as a prefix, and contains no other initQ 
actions. A finite failure-free input-first execution a is 
defined to be 0-valent if (1) some failure-free extension 
of a contains a decide(0) i action, for some i £ I, and 
(2) no failure-free extension of a contains a decide(l) i 
action, for any ieJ. The definition of a l-valent ex- 
ecution is symmetric. A finite failure-free input-first 
execution a is univalent if it is either 0-valent or 1- 
valent. A finite failure- free input-first execution a is 
bivalent if (1) some failure-free extension of a contains 
a decide(jS) i action, for some i, and (2) some failure- 
free extension of a contains a deczrfe(l) i action, for 
some i. These definitions immediately imply the fol- 
lowing result: 

Lemma 3 Every finite failure-free input-first execu- 
tion of C is either bivalent or univalent. 

The following lemma provides the first step of the 
impossibility proof: 

Lemma 4 C has a bivalent initialization. 

Proof: Write / = {l,...,n}. For each i e 
{0, . . . , n}, let a 1 be an initialization of C in which pro- 
cesses P\ , . . . , Pi receive initial value 1 and processes 
Pi+i, ■ ■ ■ ,P n receive 0. By the validity property of C 
and Lemma 3, a is 0-valent, a n is l-valent, and every 



a b (s ± ) 



(j e {o, 



i}) is cither univalent or bivalent. 



Then there must be some index i G {0, . . . , n — 1} 
such that a 1 is 0-valcnt and a l+1 is cither l-valent 
or bivalent. The only difference between the initial- 
izations in a 1 and a' l+l is the initial value of Pi. So 
consider a failure-free extension of a 1 that is fair, ex- 
cept that Pi takes no steps. Since this execution looks 
to the rest of the system like an execution in which 
Pi has failed, the termination condition requires that 
the other processes must eventually decide. Since the 
execution is in fact failure- free and a 1 is 0-valent, the 
decision must be 0. 

Now, an analogous failure- free extension may be 



constructed for 



also leading to a decision of 



0. Since, by assumption, a t+1 is cither l-valent or 
bivalent, it must be bivalent. □ 

For the rest of this section, fix a;, to be any partic- 
ular bivalent initialization of C. 



So (0-valent) 




Si (l-valent) 



Figure 2: A hook starting in a. 

4.3 The graph G(C) 

Now define an edge-labeled directed graph G(C) as 

follows: 

(1) The vertices of G(C) are the finite failure-free 
input-first extensions of the bivalent initialization 

a b . 

(2) G(C) contains an edge labeled with task e from a 
to a' provided that a' = e(a). 

By assumption (i) of Section 4.1, any task triggers at 
most one transition after a failure- free execution a. 
Therefore, for any vertex a of G(C) and any task e, 
there is at most one edge labeled with e outgoing from 
a. 

4.4 The existence of a hook 

We show that decisions in C can be made in a par- 
ticular way described by a hook pattern of executions. 
Similarly to [4], we define a hook to be a subgraph of 
G(C) of the form depicted in Figure 2. 

Lemma 5 G(C) contains a hook. 

Proof: Starting from the bivalent vertex a b of G(C), 
we generate a path it in G(C) that passes through bi- 
valent vertices only, as follows. We consider all tasks 
in a round-robin fashion. Suppose we have reached a 
bivalent execution a so far, and task e is the next task 
in the round-robin list that is applicable to a. (We 
know such a task exists because the process tasks are 
always applicable.) 

Lemma 2 implies that, for any finite failure-free ex- 
tension a' of a (such that e is not executed along the 



suffix of a' starting in the last state of a) e is applicable 
to a', and hence e(a') is defined. We look for a vertex 
a' of G(C), reachable from a in G(C) without following 
any edge labeled with e, such that e(a') is bivalent. If 
no such vertex a' exists, the path construction termi- 
nates. Otherwise, we proceed to e(a') and continue 
by processing the next task in the round-robin order. 
This construction is presented in Figure 3. Each com- 
pleted iteration of the loop extends the path by at 
least one edge. Let it be the path generated by this 
construction. 

First suppose that n is infinite. Then -k corresponds 
to a fair failure-free input-first execution a of C . More- 
over, every finite input-first prefix of a is bivalent. 
Thus, no process can decide in a (for otherwise, the 
agreement property of C would be violated). This is a 
contradiction, so 7r must be finite. 



1: a <— at 

2: while true do 

3: Let e be the next task (in round-robin order) 
applicable to a 

4: if a has a descendant a' in G(C) such that 
the path from a to a' includes 
no e labels and e(a') is bivalent then 



I-valent, and every e{uj), j G {1, 



1}, is uni- 



choose some such a' 
a <— e(a') 
else 

exit 



valent. Thus, there exists an index j G {0, . . . , m — 1} 
such that e(aj) is 0- valent and e(<jj+i) is 1-valcnt. 

As a result, we obtain a hook (Figure 2) with e in 
the hook equal to e in this proof, a — aj, a' = <7j+i, 
oi{) = e((Tj), a\ — e(<7j+i), and e' = ej. □ 



4.5 Similarity 

In this section, we introduce notions of similarity 
between system states. These will be used in showing 
non-existence of a hook, which will yield the contra- 
diction needed for the impossibility proof. First, we 
define j-similar system states. 

Let j (z I and let sq and si be states of C. Then so 
and si are j -similar if: 

(1) For every i G I — {j}, the state of Pi is the same 
in so and si. 

(2) For every c e K (J R: 

1. The value of val c is the same in so and si. 

2. For every i G J c — {j}, the value of buffer (i) c 
is the same in sq and si. 

Lemma 6 Let j G /. Let ao and a\ be finite failure- 
free input-first executions, sq and Si the respective fi- 
nal states of ao a,nd a\. Suppose that sq and Si are 
j-similar. Lf ao and a\ are univalent, then they have 
the same valence. 



Figure 3: Hook location in G(C). 



Let a be the last vertex of n. By construction, a 
is bivalent. Upon termination of the above path con- 
struction in vertex a, let e be the next task in round 
robin order that is applicable to a. Such an e al- 
ways exists since nonfaulty processes can always take 
a step, by assumption. Since the path construction 
terminated in a, we conclude that e satisfies the fol- 
lowing condition: for any descendant a' of a, such 
that the path from a to a' includes no e labels, e(a') 
is univalent. 

Without loss of generality, assume that e(a) is 0- 
valent. Since a is bivalent, there is a descendant a' of 
a such that e(cv') is 1-valent. Let cto, . . . , o m be the 
sequence of vertices of G(C) on the path from a to a' , 
and for each j, < j < m — 1, let ej be the label of 
the edge on this path from cfj to (Tj+i. Thus, Cj+i = 
ej{o~j). By construction, e(ero) is 0- valent, e(a m ) is 



Proof: We proceed by contradiction. Fix j, ao, a\, 
so, and s\ as in the hypotheses of the lemma, and 
suppose (without loss of generality) that ao is 0- valent 
and ai is 1-valcnt. Let J C / be any set of indices 
such that j G J and | J\ = f + 1. Since / < n — 1 by 
assumption, we have \J\ < n, and so /—J is nonempty. 

Consider a fair extension of ao, ao • /3, in which the 
first / + 1 actions of [3 are fail { , i G J, and no other 
fail actions occur in (3. Note that, for all i G J, (3 
contains no output actions of Pi. Assume that in (3, 
no perform i c or bi_ c (i.e., a response) action of any 
i-* task, i G J, occurs at any component c G K U R; 
we may assume this because, for each i G J, action 
faili enables a dummy action in every i-* task of every 
service and register (* is perform or output). 

Since ao is a failure-free input-first execution, the 
resulting extension ao • (3 is a fair input-first execution 
containing / + 1 failures. Therefore, the termination 
property for (/ + l)-rcsilient consensus implies that 
there is a finite prefix of ao • (3, which we denote by 
ao • 7, that includes decide{v) l for some I ^ J and 
v G {0, 1}. Construct ao -7', where 7' is obtained from 



7 by removing the ]ail i action, all dummy actions, and 
any remaining internal actions of Pi, i G J. Thus, 
q;o • 7' is a failure-free extension of ao that includes 
decide (v) L . Since ao is 0-valent, v must be equal to 0. 

We claim that decide(0) ; occurs in the suffix 7', 
rather than in the prefix ao- Suppose for contradic- 
tion that the decide (0) ; action occurs in the prefix ao- 
Then by our technical assumption about processes, the 
decision value is recorded in the state of I. Since so 
and si are j -similar and I ^ j, the same decision value 
appears in the state Si. But this contradicts the as- 
sumption that ai, which ends in si, is 1-valent. So, it 
must be that the decide(0) t occurs in the suffix 7'. 

Now we show how to append essentially the same 
7' after on. We know that, for every i G J, 7' con- 
tains no locally controlled action of Pi , and contains no 
perforrrii c or bi_ c action (b G resps), for any c € KUR. 
By definition of j -similarity, we have: 

(a) For every i $■ J, the state of Pi is the same in Sq 
and s\. 

(b) For every c G K U R, 

1. The value of val c is the same in sq and si (that 
is, in the final states of ao and ai). 

2. For every i G J c — J , the value of buffer(i) c is 
the same in so and s i- 

Thus: 

(c) If 7' contains any locally controlled actions of a 
process i, then the state of P, is the same in so 
and s\. 

(d) For every c£ K (J R, 

1. The value of i>aZ c is the same in so and Si. 

2. For every i G J c , if 7' contains any perforrrii c 
or 6j, c (6 G resps) actions of c, then the value 
of buffer (i) c is the same in so and s\. 

It follows that it is possible to append "essentially" 
the same 7' after ai, resulting in a failure- free 
extension of a\ that includes decide(O);. 3 But a\ is 
1-valent — a contradiction. 



□ 



Similarly, we define the notion of fc-similar states: 
Let k G K, and let so and si be states of C. Then so 
and si are k-similar if the following conditions hold: 

(1) For every i G /, the state of Pi is the same in sq 
and si. 



3 Rcally, we are appending another execution fragment 7" 
after 01 — one that looks the same to all the processes and 
service tasks that take steps in 7'. 



(2) For every c G (K - {k}) U R, the state of S c is 
the same in so and s\. 

Lemma 7 Let k G K. Let a$ and a.\ be finite failure- 
free input-first executions, sq and si the respective fi- 
nal states of ao and a\. Suppose that Sq and s\ are 
k-similar. Lf ao and a\ are univalent, then they have 
the same valence. 

Proof: Fix k, ao, ai, so, and si as in the hypotheses 
of the lemma. By contradiction, suppose (without loss 
of generality) that ao is 0-valent and a\ is 1-valent. 
Let J C I be any set of indices such that | J\ = f + 1, 
and, if \Jk\ < f + 1, then Jk C J, whereas if | Jk\ > 
f+ 1, then JC J k . 

Consider a fair extension of ao, ao • /3, in which the 
first / + 1 actions of /? are fail t , i G J, and no other 
/ozZ actions occur in /?. Note that, for all i E J, f3 
contains no output actions of i. Assume that in (3, no 
perforrrii fe or ^»,fc action (6 G resps) of Sfc occurs; we 
may assume this because the / + 1 /ai/ actions enable 
dummy actions in all tasks of Sk ■ 

Since ao is a failure-free input-first execution, the 
resulting extension ao • (3 is a fair input-first execution 
containing / + 1 fail actions. Therefore, the termi- 
nation property for / + 1-rcsilient consensus implies 
that there is a finite prefix of ao • 0, which we denote 
by ao • 7, that includes decide (v) t for some I & I — J 
and v G {0, 1}. We know that decide(0) t occurs in the 
suffix 7, rather than in the prefix ao, by an argument 
similar to that in the proof of Lemma 6. 

Now construct ao -7', where 7' is obtained from 7 
by removing all the faili actions, i G J, and all dummy 
actions. Thus, ao • 7' is a failure-free extension of ao 
that includes decide (v) L . Since ao is 0-valcnt, v must 
be equal to 0. 

Now we show how to append essentially the same 
7' after a\. By definition of ^-similarity, we have: 

(a) For every i£l, the state of Pi is the same in Sq 
and si. 

(b) For every c G (K — {k}) U R, the state of S c is the 
same in sq and s\. 

Thus: 

(c) For every c G K U R, if 7' contains any perform ic 
or bi jC actions of S c , then the state of S c is the same 
in so and si, since c 7^ k in this case. 

By properties (a) and (c), it follows that it is possible 
to append "essentially" the same 7' after ai, (differing 
only in the state of Sk) resulting in a failure- free 
extension of a\ that includes decide (0) ; . But ai is 
1-valent — a contradiction. □ 



4.6 The non-existence of a hook 

Now we are ready to prove the absence of hooks. 

Lemma 8 G(C) contains no hooks. 

Proof: By contradiction. Assume that a hook exists, 
as depicted in Figure 2. Let s, s', sq, and si be the 
respective final states of a, a' , cvq, and ai, and let e 
and e' be the two tasks involved in the hook, as shown. 
Since o>q and ai are 0-valent and 1-valent, respectively, 
by Lemmas 6 and 7, so and si cannot be j-similar for 
any j G /, or fc-similar for any k G K. In particular, 
we cannot have sq — s\. Also, note that e'(ao) is 0- 
valent, since it is an extension of a 0-valent execution. 
Therefore, again, by Lemmas 6 and 7, e'(so) & n d S\ 
cannot be j -similar for any j G /, or /c-similar for any 
k G K. In particular, we cannot have e'(so) = S\. We 
establish the contradiction using a series of claims: 

Claim 1: e^e'. 
Suppose for contradiction that e — e' . Then by de- 
terminism (Assumption (i) in Section 4.1), we have 
oi{) = a'. However, «o is 0-valent, whereas a' has a 
1-valcnt failure-free extension ot\ a contradiction. 

Claim 1 and Lemma 2 imply that e! is enabled from 
e(s). 

Claim 2: participants^, s) n participants^ 1 , s) ^ 0. 
Suppose for contradiction that participants(e, s) n 
participants(e! ', s) = 0. Therefore, the two tasks com- 
mute, that is, e'(e(s)) = e(e'(s)). In other words, 
e'(so) = s i — a contradiction. 

Since participants(e, s) n participants(e' ', s) 7^ 0, ei- 
ther a process, service, or register must be in the inter- 
section. We prove three claims showing that none of 
these possibilities can hold, thus obtaining the needed 
contradiction. 

Claim 3: There does not exist i E I such that 
Pi G participants(e, s) n participants^ 1 ' , s). 
Suppose for contradiction that Pj G participants(e, s)(~] 
participants(e' ', s) . Then the two actions actionize, s) 
and actionize', s) involve only Pj and the buffers 
buffer(i) c , c G K U R. Furthermore (since the same 
task e is used), the action action{e,s') also involves 
only Pi and the buffers buffer(i) c , c E K U R. But 
then the states Sq and si can differ only in the state 
of Pi and in the values of buffer(i) c , c € K U R. This 
implies that sq and si are i-similar — a contradiction. 

Claim 4-' There does not exist k € K such that 

Sk G participants(e, s) f] participants(e! ', s). 

Suppose for contradiction that Sk G 



participants{e, s) n participants(e' , s) 
four possibilities: 



There arc 



1. participants(e, s) = participants(e! , s) = {S'fc}- 
Then e and e' must be perform tasks of Sfc , and 
so involve only the state of Sk- But then the 
states so and si can differ only in the state of Sk- 
So so and s\ are /c-similar — a contradiction. 

2. For some i G /, participants(e, s) = {Sk,Pi} and 
participants(e! ', s) = {Sk}- 

Then the two tasks commute, that is, e'(so) = Si 
— a contradiction. 

3. For some i G /, participants^ ,s) = {Sk,Pi} 
and participants(e, s) = {Sfc}. 

Again, the two tasks commute, that is, e'(so) = 
si — a contradiction. 

4. For some i,j G /, participants(e, s) = {Sk,Pi} 
and participants(e' ', s) = {S'fejPj}. 

By Claim 3, we know that i =/= j- Then again, 
the two tasks commute, so e'(so) = s\ — a con- 
tradiction. 

Note that for cases 2 and 3 above (but not case 
4), whenever action{e,s) and action(e',s) access the 
same buffer, one action inserts an intern and the other 
removes an intern. Hence the actions commute. 

Claim 5: There does not exist r G R such that 
S r G participants(e, s) n participants^' , s). 
Suppose for contradiction that S r G 

participants(e, s) n participants^ , s) . There are 
four possibilities: 

1. participants(e, s) = participants(e' , s) = {S r }. 
Then e and e' must be perform tasks of reg- 
ister SV- Without loss of generality, suppose 
that action(e,s) is perform i r and action(e',s) 
is perform • . Since e ^ e', we have i ^ j- We 
consider subcases based on whether the two op- 
erations performed are reads or writes: 

(a) action(e, s) and action (e' ', s) both perform 
read operations. 

Then the two tasks commute, so e'(so) = Si 
— a contradiction. 

(b) action(e, s) performs a write operation. 
Then states so and si can differ only 
in the value of inv — buffer (j) r and 
resp — buffer (j) r - in Si, an invocation 
is missing from inv— buffer (j) r and 
an extra response appears at the end 
of resp — buffer (j) r , with respect to 
inv— buffer (j) r and resp— buffer (j) r in 
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sq. So so and si are j-similar - - a 
contradiction. 

(c) actionize, s) performs a read operation and 
action(e',s) performs write (v). 
Then e'(so) and s\ differ only in the value 
of resp— buffer(i) r (different read responses 
may be appended at the end). So e'(so) and 
si are i-similar — a contradiction. 

2. For some i S J, participants(e, s) = {5V, P»} and 
participants(e' , s) — {S r }. 

Then the two tasks commute, so e'(so) — s i ~~ 
a contradiction. 

3. For some i G I, participants(e' , s) — {S r , Pi} and 
participants{e, s) = {SV}- 

Again, the two tasks commute, so e'(so) = si - 
a contradiction. 

4. For some i,j e 7, participants(e,s) = {S r ,Pi} 
and participants{e' , s) — {S r ,Pj}. 

By Claim 3, we know that i ^ j. Then the two 
tasks commute, so e'(so) = Si — a contradic- 
tion. 

Now Claims 3, 4, and 5 together imply that 
participants(e, s) n participants^ , s) = 0. But this 
directly contradicts Claim 2. □ 

Lemma 5 contradicts Lemma 8. Hence we have 
derived a contradiction by assuming the negation of 
Theorem 1. Hence Theorem 1 is established. 



5 A;- Set Consensus 

Our boosting impossibility result concerns consen- 
sus implementations. Interestingly, while it is not pos- 
sible to implement (/ + l)-rcsilicnt consensus using 
registers and /-resilient atomic objects, this is not the 
case for the k-set consensus problem [6]. In fc-set con- 
sensus, the processes have to agree on at most k differ- 
ent values (fc-set consensus reduces to consensus when 
k= 1). 

Consider a set of /-resilient k-set consensus ser- 
vices, each one exporting m ports. An algorithm that 
implements /'-resilient k'-set consensus works as fol- 
lows. Take a principal subset of the processes, and 
divide it into s disjoint groups, each one accessing a 
different service. Each principal process participates 
in an execution proposing its input value to its des- 
ignated service. When it gets a decision back, the 
process decides on the value and writes it in a shared 
register. The remaining processes simply wait until 



at least one principal process writes the value. The 
values of k' and /' depend on the size of the princi- 
pal set, and on the number s of services we divide it 
into. There is a tradeoff between k! and /': if a small 
number of failures /' is tolerated, then a high degree 
of agreement is achieved, namely a small k' . If more 
failures /' must be tolerated, then a lower degree of 
agreement is achieved, namely a large k' . 

To achieve correctness, we must ensure first that at 
least one principal process receives a decision from its 
service and communicates the decision to all, i.e., (1) 
every /-resilient service is connected to /+1 processes, 
and (2) fewer than s ■ (/ + 1) principal processes can 
fail: /' < s ■ (/+ 1). Thus, there is at least one service 
S that is not killed, and moreover, there is at least one 
correct principal process that receives a decision value 
from S and writes the decision in a shared register. 
Thus, every correct process eventually decides. The 
number of possible different decision values is at most 
s ■ k: there are at most k different values returned per 
service; more precisely, at most k values per service 
being accessed by at least k processes, and c values 
for a service that is being accessed by c processes for 
c < k. Thus, for a desired overall resilience /', we want 
the smallest possible k! and so we find the smallest 
integer s that guarantees /' < s ■ (/ + 1). Thus, we 
have s = ["(/' + l)/(/ + 1)] services, and take the first 
/' + 1 processes to be the principal processes (/' + 1 
processes using as few services as possible, each one 
with / + 1 input ports), ft follows that 

Theorem 9 For any \<k<m,k< f<m— 1,1< 
f < n — 1, it is possible to implement /' -resilient k'- 
set consensus using read-write memory and / -resilient 
k-set consensus services, each one with m ports, for 



k' > k- 



/' + ! 

/+1 



+ min(fc, (/'+l)mod(/ + l)). 



When each available service is wait-free, that is / = 
m — 1, this algorithm reduces to the one of [12], and 
gives a tight bound. As an example, assume that we 
want to implement a /'-resilient fc'-set consensus in a 
system of 2c processes, where /' = 2c — 1, using only 
1-resilicnt consensus services, i.e., / = 1, k = 1. The 
smallest k' for which we can do this is k! = c, using 
s = c services, each shared by 2 processes (/' + 1 = 2c 
principal processes). 

Note that the algorithm above uses services that 
are not connected to all processes, ft is known that 
/-resilient /-set consensus cannot be solved using only 
reliable registers [2, 13, 19]. We conjecture that /- 
resilient /-set consensus cannot be solved using only 
reliable registers and services that are connected to all 
processes. 
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6 Failure-Oblivious Services 

A failure- oblivious service is a generalization of an 
atomic object. It allows an invocation to trigger mul- 
tiple processing steps instead of just one perform step. 
These steps can interleave with processing steps trig- 
gered by other invocations, and this makes a failure- 
oblivious service non- atomic, in general. A failure- 
oblivious service also allows an invocation to trigger 
any number of responses, at any endpoints, instead 
of just a single response at the endpoint of the in- 
vocation. The service may also include background 
processing tasks, not related to any specific endpoint. 
The key constraint is that no step may depend on ex- 
plicit knowledge of failure events. In this section, we 
define the class of failure-oblivious services, give ex- 
amples, and describe how Theorem 1 can be extended 
to such services. 

6.1 /-resilient failure-oblivious services 

As for atomic objects, we begin by defining a canon- 
ical /-resilient failure-oblivious service. A canoni- 
cal f -resilient failure- oblivious service is parameter- 
ized by J, /, and k, which have the same mean- 
ings as for canonical atomic objects. Also, in place 
of the sequential type parameter T, the service 
has a service type parameter U, which is a tuple 
(V, Vo, invs, resps, glob, 61,62,63), where V and Vo are 
as before, invs and resps are the respective sets of in- 
vocations and responses (which can occur at any end- 
point), glob is a set of global tasks, and 61,62,63 are 
three transition relations. 

Here, 61 is a total binary relation from invs x J x V 
to (the set of mappings from J to finite sequences of 
resps) x V. It is used to map an invocation at the head 
of a particular inv — buffer, and the current value for 
vol, to a set of results, each of which consists of a 
new value for vol and sequences of responses to be 
added to any or all of the resp — buffers. 62 is a total 
binary relation from J x V to (the set of mappings 
from J to finite sequences of resps) xV. It is used to 
map a particular endpoint and value of val to a set of 
results, defined as above. Finally, 63 is a total binary 
relation from V to (the set of mappings from J to finite 
sequences of resps) xV. It it used to map a value of val 
to a set of results. The code for a canonical failure- 
oblivious automaton, showing how these parameters 
are used, appears in Figure 4. 

Thus, a canonical /-resilient failure-oblivious ser- 
vice is allowed to perform rather flexible kinds of pro- 
cessing, both related and unrelated to individual end- 
points, as long as processing decisions do not depend 
on knowledge of occurrence of failure events. 



An I/O automaton A is an f -resilient failure- 
oblivious service of type U, endpoint set J, and in- 
dex k, provided that it implements the canonical /- 
resilient failure oblivious service S of type U for J and 
k, in the same sense as for atomic objects. 

6.2 Example: Totally Ordered Broadcast 

We describe an /-resilient totally ordered broadcast 
service for a particular message alphabet M , endpoint 
set J and index k, as a special case of an /-resilient 
failure-oblivious service for J and k. To do this, we 
need only specify the failure-oblivious service type hi = 
{V, Vo, invs, resps, glob,6\, 62, 63). Here, V consists of a 
single msgs queue, containing messages that have been 
totally ordered, together with their sources (Figure 5). 
Vq indicates that this queue is initially empty 

The invocation set invs is {bcast(m) : m £ M}. 
The response set resps is {rcv(m,i) : m <G M,i e 
J}. (rcv(m, i) indicates the receipt of message m from 
sender i. This receipt can occur at any endpoint.) 
glob consists of one task named g, that is, glob = {g}. 
61 , the relation describing the transitions that process 
invocations from inv — buffers, is defined in Figure 6: 

This code processes the first element of 
inv — buffer (i) by adding it to the end of the se- 
quence stored in msgs. (Formally, 6\((a,i, v), (B, v')) 
holds iff a = bcast(m), v' .msgs is the result of adding 
(m, i) to the end of v. msgs, and B(j) is empty for all 

J-) 

62 is the identity relation, indicating that no other 
processing is done on behalf of i. Relation 63 is defined 
in Figure 7: 

(Formally, 63(11, (B, v')) holds iff cither (a) v. msgs 
is nonempty, (m,i) = head (v .msgs) , v' .msgs = 
tail(v .msgs) , and for every j G J, B(j) is the se- 
quence consisting of the single clement rcv(m,i), or 
(b) v.msgs is empty, v' = v, and for every j, B(j) is 
the empty sequence. ) 

6.3 Impossibility of Boosting 

Let index set K include now the indices of all 
failure-oblivious services. Now the notion of k- 
similarity restricts the states of all registers and of 
all atomic and failure-oblivious services except Sk- 

We now argue that Lemmas 2-8 extend to this case. 

Lemma 2: We have added the i-compute and g- 
compute tasks to the definition of a service, Figure 4. 
These are defined using total transition relations 62 
and 63. Since these are total relations, we see from 
Figure 4 that these tasks are always enabled. Hence 
Lemma 2 still holds. 



12 



CanonicalFailureObliviousService(W, J, /, k), 

where hi — (V, Vo, invs, resps, glob, 5\> 62, £3) 

Signature: 
Inputs: 

ai,fc, a G invs, i G J 
fail i: i G J 

Outputs: 

^i,fej & £ resps, i G J 

Internals: 

perform i fc , z G J 

compute i fc , i G J 

dummy -*ik-, * G {perform, compute, output}, i G -7 

compute k , g G 5/06 

dummy .compute k , g G 5/06 

State components: 

As for canonical atomic object. 

Transitions: 
Input: a^ & 
As for canonical atomic object. 

Internal: perform i k 
Precondition: 

a — head(inv — buffer (i)) 
<5i((a, Zj uaZ), (B, v)) 
Effect: 

remove head of inv — buffer(i) 

val < — f 

for j £ J do 

add -B(j') to end of resp— buffer(j) 

Internal: compute i k , i G J 
Precondition: 

$2((i,vaQ,(B,v)) 
Effect: 

val < — f 

for j £ J do 

add B(j) to end of resp-buffer(j) 

Internal: compute k , g G ffJofr 
Precondition: 

5 3 (M(B,v)) 
Effect: 

va/ < — f 

for j £ J do 

add -B(j) to end of resp— buffer(j) 

Output: fc^ fc 

As for canonical atomic object. 

Input: /ai^j 

As for canonical atomic object. 

Internal: dummy^i^, i G J 
As for canonical atomic object. 

Internal: dummy .compute k , g G <?Jo6 
Precondition: 

|/o»M > / 

Effect: 
none 

Tasks: 

For every « £ J: 

i-perform: {perform i k . dummy -perform i k } 
i-compute: {cornpute i k , dummy -compute i k } 
i-output: {bi ;k : b £ resps} U {dummy -output i k } 

For every g £ (/Zo6: 

g-compute: {compute k , dummy -compute k } 



Figure 4: A canonical failure- oblivious service. 



Components of val: 

rasgs, a finite sequence of items in M X J, initially empty 



Figure 5: The composition of val in a totally ordered 
broadcast service. 

Internal: perform i k 
Precondition: 

send(m) — head{inv — buffer(i)) 
Effect: 

remove head of inv — bufferit) 
add (m, i) to msgs 



Figure 6: Relation 8\ in a totally ordered broadcast ser- 
vice. 

Lemmas 3-5: The proofs of these lemmas do not 
depend on the definition of a service, and so they carry 
over. 

Lemma 6: The proof carries over by replacing ev- 
ery reference to perform i k actions with a reference to 
perform ik or compute ik or compute gk actions. We 
provide a complete proof in Appendix B. 

Lemma 7: Since service Sk is "silent" along 7, the 
change in its definition does not affect the proof. The 
other services have the same behavior along 7 and 7', 
and the original proof of Lemma 7 docs not refer to 
their detailed definition. Hence this proof carries over. 

Lemma 8: Claims 1, 2, 3, and 5 carry over with 
no difference in the proof, since their proof does not 
refer to the definition of actions of services. For 
claim 4, the proof of case 1 {participants (e, s) = 
participants^' ', s) — {Sk}) must be modified by re- 
placing every reference to i — perform tasks with a 
reference to i — perform or % — compute or g — compute 
tasks. The proofs of the other cases carry over. Hence 
the lemma as a whole carries over. We provide a com- 
plete proof in Appendix B. 

Hence the following result: 

Theorem 10 Let f and n be integers, < / < n— 1. 
There does not exist an (./*+ 1) -resilient n-process im- 
plementation of consensus from canonical f -resilient 
atomic services, canonical f -resilient failure- oblivious 
services, and canonical reliable registers. 



7 General (Failure- A ware) Services 

A general, or failure-aware service is a further gen- 
eralization of a failure-oblivious service. This time, 
the generalization removes the failure-oblivious con- 
straint, allowing the service's decisions to depend on 
knowledge of failures of processes connected to the ser- 
vice. 
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Internal: compute k 
Precondition: 

true 
Effect: 

if (m,i) — head(msgs) then 
remove head of rasgs 
for each j £ .7: 

add rcv(m,i) to resp— buff er{j) 



Figure 7: Relation £3 in a totally ordered broadcast ser- 
vice. 

7.1 /-resilient general services 

A canonical f -resilient general service is param- 
eterized by J, /, and k, which have the same 
meanings as for canonical failure-oblivious services, 
and by a service type parameter hi, which is a tu- 
ple (V, Vq, invs, resps, glob, 5i, 82, S3), as for failure- 
oblivious services. This time, however, the domains 
of <Ji, 82, and £3 are invs x J x V x 2 1 , J x V x 2 7 , 
and V x 2 7 , respectively. The final argument, in each 
case, will be instantiated in the service code with the 
current failed set. 

The only portions of the code that are different from 
those for failure-oblivious services are the three transi- 
tion definitions that use the <5i, 62, and S3 (Figure 8). 

Internal: perform i k 
Precondition: 

a — head(inv— buffer(i)) 
5r((a,i, val, failed) , (B,v)) 
Effect: 

remove head of inv — buffer{i) 

val < — v 

for j £ J do 

add B{j) to end of resp— buff er{j) 

Internal: compute i k , i £ J 
Precondition: 

82 ((i, val, failed), {B , v)) 
Effect: 

val < — v 

for j £ J do 

add -B(j) to end of resp— buffer (j) 

Internal: compute k , g £ gZofr 
Precondition: 

Oz{{val, failed), (B,v)) 
Effect: 

ua/ < — t; 

for j £ J do 

add B{j) to end of resp— buff er{j) 



Figure 8: Relations Si, 82 and £3 in a general service. 



7.2 Examples: Failure detectors 

In this section, we describe how a variety of well- 
known failure detectors [4,5] can be modeled as general 
services. Our failure detectors do not provide all the 
functionality of the standard model [4] : because our 
failure detectors are automata, they cannot predict 
future input actions. Thus, our services encompass 
only realistic failure detectors [7]. 

All of our failure detector services have empty invs 
sets, that is, their only inputs are fai^ actions. 

7.2.1 Perfect Failure Detector V 

First, we define an /-resilient perfect failure detec- 
tor for J and k. V contains only one (trivial) state, 
that is, the service maintains no internal information 
other than the failed set. Responses are of the form 
suspect(J'), J' C J. The set glob of global tasks is 
empty. Since there are no invocations, <5i is trivial. 
Since there are no global tasks, S3 is empty. All that 
remains is to define S2, which describes computation 
on behalf of each process i: 6z(i, failed) simply puts a 
suspect response containing the current failed set into 
z's response buffer (Figure 9). 

Internal: compute^ k 
Precondition: 

true 
Effect: 

add suspect(failed) to resp— buff er{i) 



Figure 9: Relation 82 in V. 



7.2.2 Eventually Perfect Failure Detector OV 

Again, responses are of the form suspect{J'), J' C J. 
We model eventual perfection using a mode variable, 
which can take on values perfect or imperfect. Initially, 
and after each new failure, mode is set to imperfect. A 
background task is responsible for eventually switch- 
ing mode to perfect. Since failures must eventually 
stop, the mode eventually remains perfect. While in 
perfect mode, the failure detector suspects exactly the 
processes that have failed. In imperfect mode, suspi- 
cions are arbitrary. The set of internal state compo- 
nents in OV is presented in Figure 10. 



An I/O automaton A is an f -resilient general ser- 
vice of type U, endpoint set J, and index k, provided 
that it implements the canonical /-resilient general 
service 5* of type U for J and k, in the same sense 
as for atomic and failure-oblivious services. 



Components of val: 

mode £ {perfect, imperfect} , initially imperfect 
oldfailed C J , initially 



Figure 10: The composition of val in OV. 
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The global task set glob — {51,52}- Task gi is re- 
sponsible for setting mode to imperfect while task 52 
sets it to perfect. The interesting transition definitions 
are presented in Figure 11. 

Internal: compute i k 
Precondition: 

true 
Effect: 

if mode — perfect then 

add suspect(failed) to resp~buffer(i) 
else 

choose J where J C J 

add suspect(J ) to resp — buffer (i) 

Internal: compute k 
Precondition: 

true 
Effect: 

if failed ^ oldfailed then 
mode :— imperfect 
oldfailed :— failed 

Internal: compute k 
Precondition: 

true 
Effect: 

if failed — oldfailed then 
mode :— perfect 



Figure 11: Internal transitions in OV. 



7.2.3 Eventual Leader Service f£ 

The eventual leader service £1 provides leader (I) re- 
sponses at all nodes, where I € J. Eventually (assum- 
ing that not all processes fail), the latest leader an- 
nouncements should be identical at all endpoints, and 
should indicate the name of a non- failed endpoint. We 
again model eventual perfection using a mode variable 
(Figure 12). 

Components of val: 

mode £ {perfect, imperfect} , initially imperfect 
oldfailed C J, initially 
leader 6 J U {-L}, initially _L 



Figure 12: The composition of val in fi. 

We again use two global tasks 31,32- Now g\ sets 
mode to imperfect and removes any choice of leader, 
while 32 sets mode to perfect and chooses a leader. 
The corresponding transition definitions are presented 
in Figure 13. 

7.3 Impossibility of Boosting 

Our impossibility results for atomic and failure- 
oblivious services allow arbitrary connections between 
processes and services. However, it turns out that we 



Internal: compute^ k 
Precondition: 

true 
Effect: 

if mode — perfect then 

add leader {leader) to resp— buff er(i) 
else 

choose j £ J 

add leader(j) to resp— buffer (i) 

Internal: compute k 
Precondition: 

true 
Effect: 

if failed ^ oldfailed then 
leader :— _L 
mode :— imperfect 
oldfailed :— failed 



~32 i fc 



Internal: compute 
Precondition: 

true 
Effect: 

if failed — oldfailed A leader ^ _L then 

leader :— choose / where I £ J — failed 
mode :— perfect 



Figure 13: Internal transitions in £1 

can boost the resilience of systems containing failure- 
aware services, if we allow arbitrary connection pat- 
terns: 

For example, consider a system that uses wait-free 
registers and 1-resilient perfect failure detectors. Sup- 
pose that every pair of processes shares a 1-resilicnt 
2-process failure detector. Such a system can imple- 
ment a wait-free perfect failure detector for all pro- 
cesses as follows: Process i just listens to all failure 
detectors it is connected to and accumulates the set 
of suspected processes in a dedicated register. Period- 
ically, it outputs its set of suspected processes. Since 
every perfect failure detector is 1-resilient, the algo- 
rithm is wait-free. Using this construction, /-resilient 
consensus, for any /, can be implemented using wait- 
free registers and 1-resilient services. 

This boosting is, however, impossible if we assume a 
system in which /-resilient failure-aware services must 
be connected to all processes, thus, / + 1 process 
failures overall can disable all the failure-aware ser- 
vices. We assume that the system may also contain 
/-resilient failure-oblivious services, connected to ar- 
bitrary processes. By applying arguments similar to 
ones presented in Section 4, we can prove boosting 
to be impossible, i.e., that (/ + 1 /resilient consensus 
cannot be solved in such a model. 

The proof is also based on analysis of a "hook" . In 
fact, we need to introduce only slight modifications 
into the proofs of Lemmas 6 and 7: Let ao and ol\ 
be any two univalent failure-free input-first executions 
whose respective final states, so & n d si, are j-similar 
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(respectively, fc-similar). Assume, by contradiction, 
that «o and a\ have opposite valences. The defini- 
tions of j-similarity and /c-similarity do not restrict the 
states of failure-aware services, that is, failure-aware 
services can have arbitrary states in Sq and Si, the 
respective final states of ceo and «i- 

However, note that the /+ 1 failures of processes in 
J allow every failure-aware service to stop performing 
(non-dummy) locally controlled steps. Then following 
the arguments of Lemmas 6 and 7, we can construct a 
failure-free extension of ao, ao -7', such that (1) 7' in- 
cludes decide (v) 1, for some I E I— J; (2) 7' includes no 
locally controlled step of process Pj, nor any perform -, 
compute j, or output step for any service or register 
(respectively, 7' includes no locally controlled step of 
service Sk); (3) 7' includes no locally controlled step 
of any failure-aware service. Thus, 7' is essentially ap- 
plicable to «i a contradiction with the assumption 
that ao and a\ have opposite valences. 

We first note that Lemmas 2-5 carry over to the 
case of general services. The argument for this is iden- 
tical to that for failure-oblivious services, given in Sec- 
tion 6.3. 

For Lemma 6: The proof for the case of failure 
oblivious services already handles both atomic and 
failure oblivious services. To handle /-resilient gen- 
eral services, we note that we can assume that all 
of these servies are "silent" along 7, since the occur- 
rence of / + 1 faili actions enables a dummy action in 
every task of every general service. Thus the differ- 
ent definition for actions perform i k , compute i k and 
compute k , in particular, their ability to observe the 
set of failed processes, makes no difference. Hence 7' 
can be appended after ot\ in the same way as in the 
proof for the case of failure oblivious services. 

For Lemma 7: Since the service Sk can be "si- 
lenced" as before, the proof is unchanged from that 
for failure oblivious services. 

For Lemma 8: We defined the hook so that it does 
not contain any fail i actions. Hence at all states in 
the hook, the set failed of failed processes is empty. 
Thus the different definition for actions perform ik , 
compute ik and compute gk , in particular, their abil- 
ity to observe the set of failed processes, makes no 
difference. Hence the proof is unchanged from that 
for failure oblivious services. 

Hence the following result: 

Theorem 11 Let f and n be integers, < / < n — 1. 
There does not exist an (/+ I) -resilient n-process im- 
plementation of consensus from canonical f -resilient 
general services connected to all processes, canonical 
f -resilient atomic services (connected to arbitrary pro- 
cesses), canonical f -resilient failure- oblivious services 



(connected to arbitrary processes), and canonical reli- 
able registers. 



8 Conclusions 

We have established the impossibility of boosting 
the resilience of services in a distributed asynchronous 
system where processes are subject to undetectable 
stopping failures. Our results can be viewed as a gen- 
eralization to any number / of failures of the impos- 
sibility result of Fischer, Lynch and Paterson [8] for 
/ = 1. While our first result (for atomic objects) can 
be derived from existing results in the literature, the 
direct proof that we give is simpler, and is also easily 
extended to more general services than atomic objects. 
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Appendix A Alternative proof for 
atomic services 

In this section, we show how our result for the 
case of atomic objects can be derived from earlier re- 
sults [3, 11, 16, 17]. This alternative proof of our re- 
sult was obtained independently and concurrently by 
Jayanti [15] and Guerraoui and Kouznetsov [9]. How- 
ever, this alternative proof does not extend to more 
general services. 

A.l The proof 

The following two lemmas arc restatements in our 
terminology of the "necessity" part and the "suffi- 
ciency" part of Theorem 4. 1 in [3] , respectively. 



Lemma 12 Let f and n be integers, < /, 1 < n. 
Then there exists an f -resilient n-process implemen- 
tation of consensus from wait-free (/ +l)-process con- 
sensus objects and reliable registers. 4 ' 

Lemma 13 Let f and n be integers, 2 < / < n. Then 
there exists a wait-free (/ + 1) -process implementation 
of consensus from f -resilient n-process consensus ob- 
jects and reliable registers. 

The following result follows easily from Herlihy's 
universal construction [11]: 

Lemma 14 Let f and n be integers, < /, 1 < n. 
Let T be a sequential type. Then there exists an f - 
resilient n-process implementation of an atomic object 
of type T from f -resilient n-process consensus objects 
and reliable registers. 

The following result is shown in [16]. 

Lemma 15 Let n be integer, n > 0. There does not 
exist a wait-free (n+l) -process implementation of con- 
sensus from wait-free n-process consensus objects and 
reliable registers. 

Theorem 1 Let f and n be integers, < / < n — 
1. There does not exist an (/ + I) -resilient n-process 
implementation of consensus from f -resilient atomic 
objects and reliable registers. 

Proof: By contradiction, assume that there ex- 
ists an (/ + l)-rcsilicnt n-process implementation of 
consensus from /-resilient atomic objects and reliable 
registers. We consider two cases. 

First suppose that / = 0, son > 2. Thus, we 
have a 1-resilient n-process implementation of consen- 
sus using 0-resilient atomic objects and reliable regis- 
ters. By Lemma 14, each 0-resilient atomic object used 
in this implementation can itself be implemented from 
0-resilient consensus objects and reliable registers. By 
substituting these implementations for the objects, we 
obtain a 1-resilient n-process implementation of con- 
sensus using 0-resilient consensus objects and reliable 
registers. Now, a 0-resilient consensus object can be 
implemented from reliable registers, 5 so substituting 



4 Theorem 4.1 in [3] assumes 2 < /. However, the necessity 
part of the theorem requires only < /. 

5 A 0-resilient consensus with an endpoint set J can be easily 
implemented from two reliable registers as follows. Every pro- 
cess participating in the consensus algorithm writes its input 
value in a dedicated "proposal" register R (initialized to _L). 
Then the process keeps reading a dedicated "decision" register 
D (initialized to _L) until a non-1 value is read, in which case 
the process decides on this value. In parallel, a dedicated pro- 
cess Pi (i 6 J) keeps reading R. As soon as Pi reads a non-_L 
value v in R, Pi writes v in D. 
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once more, we obtain a 1-resilient n-process imple- 
mentation of consensus using only reliable registers. 
But this contradicts the impossibility result of [17]. 

Now suppose that / > 1. By Lemma 14, each 
/-resilient atomic object used in this implementation 
can itself be implemented from /-resilient consensus 
objects and reliable registers. By substituting, we 
obtain an (/ + l)-rcsilient n-process implementation 
of consensus from /-resilient consensus objects and 
reliable registers. By Lemma 12, each /-resilient 
consensus object used in this implementation can be 
implemented from wait- free (/ + l)-process consensus 
objects and reliable registers. By substituting again, 
we obtain an (/ + l)-rcsilicnt n-process implemen- 
tation of consensus from wait-free (/ + l)-process 
consensus objects and reliable registers. Now by 
Lemma 13 (using the fact that 2</ + l<n),a 
wait-free (/ + 2)-process consensus object can be im- 
plemented from (/ + l)-resilient n-process consensus 
objects and reliable registers. By substituting, we ob- 
tain an implementation of a wait-free (/ + 2)-process 
consensus object from wait-free (/ + l)-process 
consensus objects and reliable registers. But this 
contradicts Lemma 15. □ 



A. 2 Extension to more general services 

The argument in the previous subsection does not 
extend to all services. Here we give two reasons for 
this. 

First, the universality result fails to hold for many 
distributed services. In particular, no meaningful fail- 
ure detector can be implemented from consensus ob- 
jects. Indeed, by definition, an atomic service does 
not provide any information about failures: the value 
of the service is not affected by failures of processes. 
Here we simply give an example, showing that consen- 
sus cannot implement a perfect failure detector. 

Indeed, assume, by contradiction, that there is an 
algorithm A that implements a perfect failure detector 
in a system of n processes using n-process consensus 
objects and registers. Consider any finite execution 
a of i in which process i is faulty and is declared 
to be faulty. Now we consider an execution a 1 that is 
identical to a except that a' includes no fail { event (i is 
just slow to take steps in a'). Clearly, a' is also a finite 
execution of A, since registers and consensus objects 
are failure-oblivious. Thus, in a', a process is declared 
faulty without having failed — a contradiction. 

The second reason why the arguments of [3] do not 
work with non-atomic services is that, generally speak- 
ing, an /-resilient implementation of n-process con- 
sensus is not equivalent to a wait-free implementation 



of (/ + l)-process consensus (Theorem 4.1 of [3]). In- 
deed, if /-resilient fc-process consensus is implemented 
from non-atomic services, the simulation algorithm 
presented in the proof of Theorem 4.1 in [3] is not 
valid: a step of a process accessing a general service 
cannot always be simulated by another process. This 
is because a response of a non-atomic service to a given 
process i might not necessarily be simulated by an- 
other process j without communicating with i, i.e., 
no set of / + 1 processes can independently simulate 
an /-resilient fc-process consensus algorithm without 
communicating with the rest of the system. 



Appendix B 



Complete proofs for 
failure-oblivious services 



Proof of Lemma 6 when failure-oblivious services 
arc allowed. 

Lemma 6 Let j £ /. Let ao and a\ be finite failure- 
free input-first executions, s§ and s\ the respective 
final states of ao and a.\. Suppose that so and s\ are 
j -similar. If ao and a\ are univalent, then they have 
the same valence. 

Proof: We proceed by contradiction. Without 
loss of generality, assume that all services are failure- 
oblivious. Atomic services can be handled by the same 
argument as used in the proof of Lemma 6 for atomic 
services only. 

Fix j, ao, ai, so, and s\ as in the hypotheses of the 
lemma, and suppose (without loss of generality) that 
ao is 0-valcnt and a\ is 1-valcnt. Let J C / be any 
set of indices such that j £ J and \J\ = f + 1. Since 
/ < n — 1 by assumption, we have \J\ < n, and so 
I — J is nonempty. 

Consider a fair extension of ao, ao ■ (3, in which 
the first / + 1 actions of (3 are fail, L , i £ J, and no 
other fail actions occur in [3. Note that, for all i £ J, 
(3 contains no output actions of Pj. Assume that in 
(3, no perform i c , compute i c , or bi tC action of any i-* 
task, i £ J, occurs at any component c £ K U R; we 
may assume this because, for each i £ J, action fai^ 
enables a dummy action in every task of every service 
and register (* is perform or compute or output). 

Further assume that in [3, no compute q c action of 
any g- compute task occurs at any component c £ KU 
R; we may assume this because the occurrence of /+ 1 
fail { actions enables the dummy — compute c action in 
every g- compute task of every failure-oblivious service 
c. 

Since ao is a failure-free input-first execution, the 
resulting extension ao • (3 is a fair input-first execution 
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containing / + 1 failures. Therefore, the termination 
property for (/ + l)-resilient consensus implies that 
there is a finite prefix of ao ■ Pj which we denote by 
ao ■ 7, that includes decide(v) l for some I ^ J and 
v £ {0, 1}. Construct ao ■"/' , where 7' is obtained from 
7 by removing the ]ail i action, all dummy actions, and 
any remaining internal actions of Pi, i £ J. Thus, 
oi{) • 7' is a failure-free extension of ao that includes 
decide (v) L . Since ao is 0-valcnt, v must be equal to 0. 

We claim that decide (0) ; occurs in the suffix 7', 
rather than in the prefix ao- Suppose for contradic- 
tion that the decide (0) ; action occurs in the prefix ao. 
Then by our technical assumption about processes, the 
decision value is recorded in the state of I. Since so 
and si are j -similar and I =/= j, the same decision value 
appears in the state s\. But this contradicts the as- 
sumption that ai, which ends in si, is 1-valent. So, it 
must be that the decide(0) L occurs in the suffix 7'. 

Now we show how to append essentially the same 
7' after a±. We know that, for every i £ J, 7' con- 
tains no locally controlled action of Pi , and contains no 
perforrrii c , computei c , or bi yC action, for any c £ KUR. 
By definition of j-similarity and j £ J, we have: 

(a) For every i £ J, the state of Pi is the same in s 
and 81. 

(b) For every c £ K U R, 

1. The value of val c is the same in s$ and s\ (that 
is, in the final states of ao and ai). 

2. For every i £ J c — J, the value of buffer(i) c is 
the same in so and s±. 

Thus: 

(c) If 7' contains any locally controlled steps of a pro- 
cess i, then i $ J, and so the state of Pi is the 
same in so and si 

(d) For every c £ KUR, 

1. The value of val c is the same in sq and si. 

2. For every i e J c , if 7' contains any perforrrii c , 
compute} c , or output ic actions, then i ^ J, and 
so the value of buffer (i) c is the same in so and 
si- 



lt follows that it is possible to append "essentially" 
the same 7' after ct\, resulting in a failure- free exten- 
sion of ai that includes decide (0) r 6 



can- 



Finally, we note that the presence of compute 
does not invalidate the argument. A compute c 
not refer to or modify any input buffers. The precon- 
dition of compute „ c depends only on val c , and so the 
same compute c actions can be applied in 7' after a\, 
and they can add the same items to the output buffers. 
Thus for i ^ J the sequence of values that buffer (i) c 
takes along 7' after ao and 7' after a.\ are the same. 



But a.\ is 1-valent — a contradiction. 



□ 



Proof of Lemma 7 when failure-oblivious services 
arc allowed. 

Lemma 7 Let k £ K. Let ao and ol\ be finite failure- 
free input-first executions, so and s\ the respective 
final states of ao and a\. Suppose that so and s\ are 
fc-similar. If ao and ot\ are univalent, then they have 
the same valence. 

Proof: Fix k, ao, a\, sq, and s\ as in the hypotheses 
of the lemma. By contradiction, suppose (without loss 
of generality) that ao is 0-valcnt and a\ is 1-valent. 
Let J C I be any set of indices such that \J\ = f + 1, 
and, if \Jk\ < / + 1, then Jk C J , whereas if | Jk\ > 
f+l, then JC J fe . 

Consider a fair extension of ao, ao • [3, in which the 
first / + 1 actions of [3 arc fail t , i £ J, and no other 
fail actions occur in /?. Note that, for all i £ J, (3 
contains no output actions of i. Assume that in (3, no 
perforrrii fe or °i.k or compute ik or compute qk action 
(6 £ resps, g £ glob) of Sk occurs; we may assume this 
because the / -I- 1 fail actions enable dummy actions 
in all tasks of Sk ■ 

Since ao is a failure-free input-first execution, the 
resulting extension ao • (3 is a fair input-first execution 
containing / + 1 fail actions. Therefore, the termi- 
nation property for / + 1-resilicnt consensus implies 
that there is a finite prefix of ao ■ (3, which we denote 
by a • 7, that includes decide{v) l for some I £ I — J 
and v £ {0, 1}. We know that decide(0) t occurs in the 
suffix 7, rather than in the prefix ao, by an argument 
similar to that in the proof of Lemma 6. 

Now construct ao -7', where 7' is obtained from 7 
by removing all the fail { actions, i £ J, and all dummy 
actions. Thus, ao • 7' is a failure-free extension of ao 
that includes decide (t 1 );- Since ao is 0-valent, v must 
be equal to 0. 

Now we show how to append essentially the same 
7' after ot\. By definition of ^-similarity, we have: 

(a) For every i £ I, the state of Pi is the same in Sq 
and s\. 

(b) For every c £ (K — {k}) U R, the state of S c is the 
same in sq and s\. 

Thus: 



6 Rcally, we are appending another execution fragment 7" 
after 01 — one that looks the same to all the processes and 
service tasks that take steps in 7'. 
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(c) For every c G K U R, if 7' contains any perform i c 
or 6j, c or compute i k or compute k actions of ^c, 
then the state of S c is the same in sq and s\, since 
c 7^ k in this case. 

By properties (a) and (c), it follows that it is possible 
to append "essentially" the same 7' after ot\, (differing 
only in the state of Sk) resulting in a failure- free 
extension of ct\ that includes decide (0) ; . But ot\ is 
1-valent — a contradiction. □ 



Proof of Lemma 
are allowed. 



when failure-oblivious services 



Lemma 8 We establish the same 5 claims as in the 
case of atomic services, which establishes the needed 
contradiction. 

Claims 1,2, and 5 do not refer to the definition of 
a service, and so their proof remains unchanged from 
the atomic services case. 

The proof of Claim 3 is unchanged, since the only 
actions considered have as participants either a pro- 
cess P{, or Pi and a component S c , c£ K U R. Thus, 
whenever S c is a participant, the action must be an 
external action of S c . 

Since the external actions in the definitions of 
atomic service and failure oblivious service have the 
same effect, namely to add or remiove a single item 
from a single buffer, it follows that the proof of Claim 
3 for the atomic case still applies. 

The proof of Claim 4 is modified as follows. 

Claim 4 : There does not exist k G K such that 
Sk G participants(e, s) n participants(e! , s). 
Suppose for contradiction that Sk G 

participants^, s) n participants(e! , s) . There are 
four possibilities: 

1. participants(e, s) — participants^ 1 ' , s) = {Sk}- 

Then e and e' must be i — perform or i — compute 
or g — compute tasks of Sk, and so involve only 
the state of Sk- But then the states so and s\ 
can differ only in the state of Sk- So so and Si 
are /c-similar — a contradiction. 

2. For some i S I, participants(e, s) = {Sk,Pi} and 
participants(e! , s) = {Sk}- 

Hence action (e,s) is either a^fe or &,,&, and 
action{e' ,s) is one of perform - fe , compute^ k , or 
compute k , where j G Jk, g G glob. 

Inspection of the definition of a failure-oblivious 
service shows that the two tasks commute, that 
is, e'(so) = Si — a contradiction. 



For some i £ I, participants(e' , s) — {Sk,Pi} 
and participants(e, s) = {Sk}- 

Hence actionize, s) is one of perform, k , 
compute j k , or compute gk , where j G Jk,9 € 
glob, and actionize' , s) is either a^k or bi t k- 

Inspection of the definition of a failure-oblivious 
service shows that the two tasks commute, that 
is, e'(so) = 8\ — a contradiction. 

For some i,j G /, participants(e, s) = {Sk,Pi} 
and participants(e! ', s) = {Sk,Pj}- 

By Claim 3, we know that % =/= j- Now 
actionize, s) is cither a^k or bi_k, and action (e! , s) 
is either a^k or 6^. 

Inspection of the definition of a failure-oblivious 
service shows that the two tasks commute, that 
is, e'(so) = Si — a contradiction. 
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